Notice: We are still operating during the COVID-19 crisis. However, we
are not allowing visitors to our office and most of our staff is operating
remotely. Our attorneys and staff are still available to help you by phone
and email. If you get our voice mail, please leave a message and it will
be returned promptly. There may be delays with mail due to the crisis,
so please try to send documents by email after submitting a contact form
here or fax to 312-419-0379, if possible.

Illinois Biometric Identification Privacy Act

By
Edelman Combs Latturner & Goodwin, LLC
|May 14, 2020

The Illinois Supreme Court has held that the Illinois Biometric Identification Privacy Act, 740 ILCS 14/1 et seq. ("BIPA"), does not require persons whose fingerprints or other biometric identifiers are stored without compliance with the law to prove anything more before being able to sue for the statutory damages prescribed by the statute. Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019).

Plaintiff had sued theme park operator Six Flags Entertainment for requiring her son to scan his fingerprint to verify his identity when using his season pass at Six Flags Great America amusement park in Gurnee.

BIPA restricts the collection and use by private entities of "biometric information," defined as "any information, regardless of how it is captured, based on an individual's biometric identifiers that is used to identify an individual." "Biometric identifiers" are defined to mean "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry." Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening. 740 ILCS 14/10.

BIPA requires companies in possession of biometric identifiers or information to (1) have a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first, (2) comply with such policy; (3) prior to acquiring biometric information, inform the subject that biometric information is being collected or stored and the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and receive a written release executed by the subject. BIPA also prohibits companies from selling, trading or otherwise profiting from a person's biometric information, disclosing or disseminating such information without consent, unless the disclosure completes a financial transaction requested or authorized by the subject of the biometric c information or the disclosure is required by law. Biometric information must be stored, transmitted and protected against disclosure using reasonable standards of care and in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information. 740 ILCS 14/15.

There is a private right of action for any person "aggrieved" by a violation of BIPA. The plaintiff may recover, for each violation of BIPA: (1) the greater of $1,000 in liquidated damages or actual damages for negligent violations, (2) the greater of $5,000 in liquidated damages or actual damages for intentional or reckless violations, (3) reasonable attorneys' fees and costs, including expert witness fees and other litigation expenses, and (4) injunctive or other relief the court deems appropriate.

The Appellate Court had dismissed the case on the theory that the plaintiff had no standing to sue because there was no evidence the fingerprint scans resulted in any harm to her or her son, as the data was not compromised, disclosed to a third party or misused. The plaintiff contended that the alleged violation of the law alone should be enough to establish Rosenbach and her son should be considered “aggrieved” persons entitled to sue under BIPA.

The state Supreme Court held that BIPA allowed anyone to sue any business or organization, if they allege the company did not abide by any of the requirements of the BIPA law before scanning and storing a fingerprint, retinal scan, facial geometry or other biometric identifiers. Proof of misuse of the information or actual damages is not required.

BIPA provides simply that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.” Requiring plaintiffs to demonstrate they had actually been harmed by a technical violation of the law would be contrary to the will of the lawmakers who drafted the law. “In reaching a contrary conclusion, the appellate court characterized violations of the law, standing alone, as merely ‘technical’ in nature,”Justice Karmeier wrote. “Such a characterization, however, misapprehends the nature of the harm our legislature is attempting to combat through this legislation.” “The Act (BIPA) invests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent.”

The Supreme Court held: “Accepted principles of statutory construction, however, compel the conclusion that a person need not have sustained actual damage beyond violation of his or her rights under the Act in order to bring an action under it.” “Contrary to the appellate court’s view, an individual need not allege some injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.” The Supreme Court defined the term “aggrieved” as simply meaning that a person has a “substantial grievance,” or the “denial of some personal or property right.” Actual damages are not necessary because “[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of…”

Please contact us if you have been subjected to any of the conduct prohibited by the statute.

Most violations appear to arise in the employment context, for example when employees are required to use fingerprints to clock in.

The information on this website is for general information purposes only.
Nothing on this site should be taken as legal advice for any individual
case or situation. This information is not intended to create, and receipt
or viewing does not constitute, an attorney-client relationship.